From our user in Debian (Paolo Larcheri <paolo.larcheri@gmail.com>):
According to PAM_WINBIND(8) warn_pwd_expire should define the number
of days before pam_winbind starts to warn about passwords that are going
to expire. Defaults to 14 days.
I found out this option has been only partially implemented and using it leads
to the following in /var/log/auth.log:
pam_winbind(sshd:auth): pam_parse: unknown option: warn_pwd_expire=0
and the following in /var/log/messages:
sshd[2485]: segfault at 0 ip b6ffcb11 sp bf9749b0 error 4 in
pam_winbind.so[b6ff7000+e000]
Module segfaults and user does not get autheticated.
I managed to make it work with this:
--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -494,6 +494,9 @@ config_from_pam:
ctrl |= WINBIND_CACHED_LOGIN;
else if (!strcasecmp(*v, "mkhomedir"))
ctrl |= WINBIND_MKHOMEDIR;
+ else if (!strncasecmp(*v, "warn_pwd_expire",
+ strlen("warn_pwd_expire")))
+ ctrl |= WINBIND_WARN_PWD_EXPIRE;
else {
__pam_log(pamh, ctrl, LOG_ERR,
"pam_parse: unknown option: %s", *v);
What is more the module turned out not to accept 0 as value even if it's
supposed to be a valid value (at least considering how this parameter is used):
if ((next_change < 0) ||
(next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
return false;
}
I got it working by simply allowing 0 as value:
--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -2363,7 +2363,7 @@ static int get_warn_pwd_expire_from_conf
ret = get_config_item_int(ctx, "warn_pwd_expire",
WINBIND_WARN_PWD_EXPIRE);
/* no or broken setting */
- if (ret <= 0) {
+ if (ret < 0) {
return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
}
return ret;
I have also checked upstream code and latest 3.6.6 tarball in facts
is affected.
Kind Regards (and thanks for existing)
--
Paolo Larcheri
Linux User #383461
https://linuxcounter.net